Privacy and Cookies Policy
Introduction
Your privacy is of the utmost importance to us; we are therefore committed to safeguarding your personal information.
That commences with helping you understand our privacy practices.
This policy attempts to describe the personal information we collect, how it is used and shared together with your choices regarding how this information is managed and applies to any user of our services.
Any reference in this policy to information or personal information is to “personal data” as defined under the General Data Protection Regulations.
About this policy
The Data Controller (the organisations responsible for looking after your data) is Cotswolds Spa Holidays Limited. “we”, “us” or “our” in this privacy policy.
We are grateful for the trust you place in us, to arrange holidays, manage holiday properties, take or remit payments, manage properties, obtain guest reviews and to use any personal information responsibly.
We are committed to protecting your information and believe you have a right to know how we will use it.
This policy seeks to set out our data protection principles.
The policy covers our dealings with customers and owners. either people who have booked or are looking for a holiday (our guests) and people who let their holiday properties through us as an agent (homeowners).
Please note that our customers and owners must be over the age of 18 and we do not therefore collect personal information from children.
We will update our Privacy and Cookies Policy as data protection law or business practices evolve.
You will be able to find the latest version of this policy on our website;
The current version of the policy is effective from 23 April 2018.
Third Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of any website you visit.
Data Protection Enquiries
For any queries with our data protection or privacy policies please contact us through the contact page on our website;
Your rights
We generally use your data either on the basis of your consent, or based on a formal contract between us (e.g. when you book a holiday, for a guest or when instructed to manage a property, for an owner). You can exercise your right to withdraw your consent from any marketing communications from ourselves or any third parties by contacting us directly on the “Data Protection Enquiries” link above.
If you withdraw your consent (e.g. by opting out of marketing communications), we will stop processing your data as requested. Bear in mind if you have a holiday booked and you have not yet travelled, we’ll still need to hold onto your data so we can process the holiday. That’s because the contract between us is the basis for using your data (rather than consent). For more information, see the “Legal basis of processing” section in the Glossary below.
If you are at all concerned about the processing of your data, please contact us via the “Data Protection Enquiries” link above.
You also have the right to receive a copy of the personal data we hold about yourself and to request that we correct or remove your data, when there remains no legal basis for keeping it. Please note that when these rights are exercised, we will conduct identification checks in order to ensure your privacy is safeguarded. You will need to contact us by email or post, to exercise these rights.
Personal information we collect
In order to provide you with the best possible holiday service, we collect the following information:
Identification: name, title, date of birth, age/age range, gender. car registration number (where applicable)
Contact details: postal addresses (main and billing), phone numbers, email addresses.
Bookings: property booked, holiday start/end dates, cost of holiday, amounts paid, limited details of other people booked on the same holiday (names, gender, age range).
Marketing preferences: whether you wish to receive marketing information from us.
Payment: method, the last four digits of card numbers, payment card expiry date, amounts collected, third party payment service provider references. Please note that we do not capture or store your full card details: payment is handled by our payment service providers (see below).
Browsing: historical searches, how you use our website, the devices and IP addresses you use to access our services (operating system, browser, …). We collect this information, via “Google Analytics”, so that we can continuously improve our website and our service to you.
Holiday experience: any feedback you leave, responses to customer satisfaction surveys, whether you have a pet, interests (e.g. preferred holiday type, such as walking holidays).
Specific to property owners: addresses of your properties, historical and future booking information (see above), photographs/videos of the properties you own.
(Note. We may need to pass this information on to third parties when instructing work on your behlaf)
Electronic identifiers: cookies, IP addresses. These electronic identifiers are essential to enable you to log into your online account and to assist you if you encounter difficulties using our online services. You can disable cookies if you wish, but this may hamper our ability to provide online services securely.
We may also receive some of the above information from other companies you use (e.g. other online holiday companies or portals that feature our properties). In such cases, those companies are also obliged to inform you about their use of your data.
Note – Failure to provide personal data: Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with accommodation). In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.
How is your personal data collected
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise.
This includes personal data you provide when you:
- Buy or express an interest in our products or services by phone or via our website or third party providers;
- Book a property or a service with us;
- Create a booking via our website;
- Contract with us to manage your property rentals;
- Subscribe to our newsletter;
- Request that we send marketing materials to you;
- Enter a competition, promotion or survey;
- Submit a review;
- Speak to customer services;
How we use your personal information
We use your personal information to:
- Manage your holiday booking/letting
- Ensure you can log into your online accounts with us
- Detect and prevent fraud or abuse of our services
- Communicate with you, including for example, responding to your emails, messages, handling customer service matters and so on
- Process your payments
- Make sure our systems are operating correctly
How we collect personal information
We receive personal information from:
- You, as you provide it to us (e.g. when booking a holiday, leaving a review or enquiring about letting a property)
- Your use of our website
- Third party holiday providers you may book with, who advertise our properties
- Your interaction with our very limited marketing activities (provided you have not unsubscribed)
- Third party review services such as TripAdvisor etc
Legal basis of processing
There are several grounds on which we will store and use your data:
Consent: for certain types of processing (e.g. marketing activities), we rely on your consent to use your data. You may withdraw your consent at any time (see “Your rights”, above).
Contract: much of the time, our use of your data will be because of the contract between us – that is, in relation to your holiday booking. We will usually retain relevant data for up to seven years from the date the contract completes – e.g. the last day of your holiday.
Legal obligations: we are under certain binding legal obligations, such as accounting to the government for tax and making financial records available for audit. In such cases, we are typically obliged to retain data for up to seven years from the date of the transaction.
Legitimate interests: we may use data to manage our operations and to make business process improvements. Rest assured, our legitimate interests will never override your right to privacy
How we share your personal information
We are obliged to share some of your contact information with property owners, your booking contract is ultimately with them.
If you permit us to send you marketing information, we may share your data with companies that provide specialist marketing platforms. These companies are under strict obligations to protect your privacy and comply with your marketing preferences.
Notes:
1. We store your data in certain cloud services provided by third parties. Those third parties do not however have access to your data.
2. We do not transfer your data outside the UK or the European Union.
Payment service providers
In order to ensure your transactions are as secure as possible we don’t take payment over the phone but rely on thrid party payment providers who use encryption to protect your data when taking online payments:
- PayPal (Europe)
- Holiday Bookings Online
- Monek/Secure Hosting
- Worldpay
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that, some parts of this website may not function properly.
Updates to this policy
We monitor and review our privacy policy regularly.
If we make significant changes we will endeavour to notify you through the website or through others means, such as email.
Any Questions
If you have any queries, please don’t hesitate to fill in our contact form on the following link.
Glossary
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Consent means you have explicitly given us permission to process your personal data. In such circumstances we will have asked you a specific question and you will have entered information or ticked a tick-box to indicate your consent.
THIRD PARTIES
EXTERNAL THIRD PARTIES
Service providers acting as processors based in the UK or EU who provide IT and system administration services.
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK and EU who provide consultancy, banking, legal, insurance and accounting services.
HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
Customer service call, email, webchat, display advertising and website behavioural service providers, acting as processors, based in the UK, EU or USA;
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. In such circumstances we may reserve the right to delete your personal data rather than hold it but restrict processing, where our processes are not set up to enable a restriction.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Request to opt out of automated profiling of your personal data. You have the legal right to opt-out of any automated profiling of your personal data that could have a legal consequence for you, and have a human being involved in the processing decision rather than it being automated. The only profiling of this type that we undertake is in our marketing activities, in which we tailor our marketing communications to your transactional history and product preferences. If you wish to opt-out of this automated profiling please contact us, though please be aware that our systems are not configured to send un-tailored marketing communications to you, so in practice opting out of automated profiling will result in you being opted out of receiving marketing communications from us.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.